The Best VPN Routers for 2019

VPN routers provide all the data safety and privacy features of a VPN client, but they do so for every device that connects to them. We test 10 of the best models that can act as VPN gateways for your home or small business.

Bottom Line: The D-Link AC5300 Ultra Wi-Fi Router (DIR-895L/R) is a slick-looking, fully loaded tri-band router that delivers some of the fastest scores we've seen in throughput and file-transfer tests.

Bottom Line: If you frequently game online or stream 4K video, the Asus RT-AC5300 is a tri-band router that delivers speedy 2.4GHz and 5GHz throughput and offers an abundance of management settings, as w...

Bottom Line: The Netgear Nighthawk AC2300 (R7000P) is a dual-band router that offers good close-range throughput and a handful of subscription-based network security and parental-control options, but its...

Oliver RistThe Best VPN Routers for 2019VPN routers provide all the data safety and privacy features of a VPN client, but they do so for every device that connects to them. We test 10 of the best models that can act as VPN gateways for your home or small business.

Put Your Home on Virtual Lockdown

Chocolate and peanut butter, eBay and your significant other's credit card, internet surfing and a virtual private network (VPN); What do these things have in common? They're good on their own but great when put together. And here's another great pairing: VPNs and your router. Before your eyes glaze over, give the idea a chance, because combining these two things isn't only easy, it makes both significantly better.

Editors' Note: IPVanish is owned by j2 Global, the parent company of PCMag's publisher, Ziff Davis.

Why Install a VPN on Your Router?

If you're a typical internet user, then you should already be using a VPN, at least in its web service incarnation. That is, unless you like having your web habits scrutinized and your data open to anyone because it's not encrypted. This means downloading a free client or paying a small monthly dollar amount for a premium, more full-featured client from makers such as NordVPN. In either case, you'll pay for each client application individually, and you'll download one to every device you use to trundle through the interweb jungle.

That's an OK approach if you've got one or two devices, but what about a typical family who might have several notebooks, desktops, tablets, phones, TVs, and other smart home devices connected to a network? That's not only a lot of devices, that's a lot of VPN clients with fees that can add up if you're using one for every device. But what if you could just install a single VPN client directly on your router? That's one download and one installation and configuration session. And after that, every device on your side of the router will use the VPN when it connects to the outside world. If that's not a better-together scenario, I don't know what is. You're probably saving money and you don't have to worry if the kids are remembering to activate the VPN before they connect, because the router keeps it active all of the time.

All of the routers featured here support the ability to install a VPN client, though they might do it in only one of the different ways we'll describe below. Most commonly, they will support the OpenVPN standard, meaning you can configure a VPN with any provider that supports that standard. Alternatively, the featured models may be compatible with the DD-WRT or Tomato router operating systems (more on that below). Once you've upgraded your router to one of these platforms, you'll be able to configure a VPN on it.

Key VPN Router Considerations

While the benefits of having a VPN on your router are clear, the path to choosing one, ironically, starts with considering the downsides, of which there are basically two. The first is that setting up a VPN client on your router isn't quite as simple as doing it on your average user-style device, though it's by no means neurosurgery. The second downside is probably the more important one and that's bandwidth considerations.

By forcing your connection out through a single VPN tunnel, you're effectively limiting your internet speed to whatever throughput that tunnel can provide. This means you really, really need to pay attention to the speed tests of our VPN reviews because you want the fastest one available in your area. You also want to test such services yourself on your own devices and across your own internet connection before committing to one, as these numbers can be highly dependent on geography.

If you're willing to tackle some complexity, then you've got more options when it comes to bandwidth optimization. Let's say you're paying for a fat, 1 gigabits per second (Gbps) internet connection from Verizon Fios, our Editors' Choice-winning internet service provider (ISP). Let's also say you manage to install a second router next to your hyper-proprietary Verizon Fios router and install a VPN client on that. But your VPN provider can only support 200 megabits per second (Mbps) between you and its servers.

What this means is: You're now paying for 800 Mbps that you're no longer using since you're pointing every internet-capable device in your home at that one VPN tunnel. In this scenario, you'd still save money by installing two or maybe even three VPN clients on your router, each pointing to a different VPN provider with each of those providing their own +/-200 Mbps connection. Now you point different devices at different VPNs so everyone gets a fair slice of the Verizon Fios bandwidth pie. Your son's gaming PC, your husband's work notebook, and the Smart TV share VPN tunnel A, while your notebook, your daughter's iPad Pro, and your Voice-over-IP (VoIP) phone system share Tunnel B. Like that. You'd now be using most of your Verizon Fios bandwidth, and you'd still be saving money over installing and paying for a separate VPN client for every device.

If you're router-savvy, then you can do this with source routing. But whether or not your particular router supports source routing is something you'll need to find out from the documentation. More advanced routing OSes, like DD-WRT, support source routing either directly or via policy routing (see below), but again, this isn't for beginners.

Given all of that complexity, most consumers will simply opt for the fastest VPN connection they can get and split that up among their home devices since it will be a fairly rare day that all devices will be trying to connect simultaneously. If you want to measure your internet speed both with and without a VPN connection, then use the PCMag Speed Test.

How to Choose a VPN Router

Once you've determined that running your VPN from the router really is better for you, there comes the question of choosing one. Here's where it might get a little complex...or not, if you're a little bit fortunate. That's because there are several ways to get a router that's VPN-capable. The most direct way is to simply buy one from your VPN provider.

Several personal VPN service providers are now offering routers that come preconfigured with one of their clients, including market leaders such as NordVPN and TorGuard VPN. Not only do you get a client ready and working, you also often get a fairly wide selection of routers. TorGuard, for example, offers its client on routers from Asus, GLI, Linksys, and Netgear, among others. Downside? Lack of flexibility in configuration and, potentially, price depending on how the service provider decides to charge for a client housed on a router over one confined to a single device. For those looking to keep more control, however, you'll need to delve into DIY (do-it-yourself).

When going the DIY route, your first step should be to check the features table above this article as well as your current router's documentation. You're looking to see whether it's VPN-compatible, whether it's specifically compatible with any particular VPN vendor, or whether it's compatible with OpenVPN.

OpenVPN isn't just a standalone VPN product, it's also an open-source VPN platform that's become something of a standard in the VPN world. Providers often support their own platform as well as OpenVPN simply to give their customers, especially their small business customers, some choice when it comes to client software since downloading the OpenVPN client is free. Remember, your router is essentially a little computer with its own proprietary OS embedded in its firmware. What that OS supports is up to each router manufacturer (i.e., Asus, Linksys, and Netgear, to name a few). If your router supports OpenVPN, then it's compatible with a large swath (though not all) VPN service providers. Some will provide documentation on configuring an OpenVPN client with their service, but some won't.

Your best bet is to start with the VPN provider's documentation, then check the router manufacturer's documentation, and then do an internet search to see if the process is described in any third-party support forums. Move on to another, more router-friendly VPN provider if all of those steps fail. Though, if you're determined to go the DIY router, then that's not your only path.

The Pre-Flashed Router Option

If your router's installed OS can't help you, then it's time to think about another OS. This could mean buying another router or it could mean upgrading the one you have an alternate router OS, typically either DD-WRT or Tomato. These are two open-source, alternate router environments that you can download and install on your router, provided your router is compatible and your router maker allows this. If it's allowed, then either of these downloads will effectively replace your current router's OS (and full disclosure: will most likely also replace your warranty with that router manufacturer).

Again, while this isn't proverbial rocket science, it's not for the technically faint of heart, either. However, the benefits are significant. Both DD-WRT and Tomato are ongoing projects that are constantly being improved, which means you're getting a number of features that your native router OS probably doesn't have. One of these features is full support for OpenVPN, which means that, as soon as you've flash-converted your router to either DD-WRT or Tomato, you'll be compatible with a large number of VPN providers.

If all this talk of cracking your router's brain open is making your techno-knees a little weak, don't despair because where there's an even mildly thorny technology problem, there's usually a happy geek waiting to solve it for you, provided you pay her enough. That's the same thing here, though in this instance, that geek will be selling what's called "pre-flashed routers."

Pre-flashed routers are exactly what the name implies: a name-brand router sold to you by a third party that has taken on the headache of flashing the router to a new OS, usually DD-WRT. You're basically getting the same thing as you would get if you bought a router directly from NordVPN or TorGuard. However, some pre-flash vendors offer not only an upgrade to the router's OS, they also offer to simply sell you a router with a proprietary VPN client pre-installed, such as ExpressVPN.

In some cases, they even replace the support and warranty from the original router maker if their customization machinations were enough to void it. A quick internet search will provide a list of such vendors and, once you choose the router you want, they'll deliver it to your door with the requested OS, custom configuration, or VPN client pre-installed and ready to go (though, again, at something of a premium over buying the router direct from the manufacturer and doing the upgrade yourself).

That can be well worth it, however, since you're getting a lot more here than just the ability to run a VPN on your router. DD-WRT is probably faster than a standard router OS, gets regular updates that are probably a little more regular than a standard router OS, and offers a plethora of additional features that alpha-geeks will love because it lets them up their security and customize their networks. Such features include the policy-based routing I mentioned earlier as well as things such as advanced Quality of Service (QoS), real-time monitoring from anywhere, Dynamic DNS (DDNS), and more.

VPN Business Benefits

If some of the features just listed sound a little like things the IT person at work would like, then that's because they are. And it also means that flashing your router to DD-WRT or another third-party router OS might get your business some additional benefits. Exactly what those benefits are depends on your business and what it needs from its network, though "more speed" and "more options" is always a good thing.

One specific thing that might improve is the way your business can use its VPNs. While providing a VPN service to every user can have benefits for small businesses, midsize and larger-sized businesses will want to set up their own VPN gateways rather than hiring them out to a third party, such as NordVPN or Private Internet Access VPN for each individual user. That's not only for security and compliance reasons, but also for performance since your IT staffers will have better control of your users' internet experience this way.

But another option important to businesses will be the ability to connect different geographic sites using VPNs. In the misty days of yore, if your business had a headquarters (HQ) in New York and a field office in Maryland, then you'd have to pay the phone company to let you share some kind of wire that ran between those locations; this was usually expensive. With the internet, that business took a fast nosedive until companies realized that their data was wide open to capture while it traversed the web. Perfect solution: site-to-site VPNs—all the low cost of the internet with all of the privacy of high-grade encryption.

Site-to-site VPNs are essentially VPNs that "tunnel" through the web using encryption as the tunnel's walls. They're generally permanent rather than session-based, and remain constantly open between two static routers, essentially putting those two routers and everything behind them on the same network (in the case of our example, one at HQ in New York and one at the field office in Maryland). You still save big bucks over the old-style telecommunications solution, but your data is safe and encrypted in its cozy VPN tunnel. This is the same technology NordVPN uses to connect you to its servers via that little web client you downloaded; it's just being established between two routers for the purpose of shuttling traffic between them. By flashing your routers to DD-WRT, you're guaranteed this ability. However, that's not the only way to get it.

Many routers, even consumer-grade routers, can manage a site-to-site VPN either by using their own VPN client or using OpenVPN. The reason so many consumer-grade routers have this capability is because of telecommuting. Many companies require telecommuters to connect to corporate servers only through a VPN, so having a sub-$100 Linksys home router support it is much more attractive for consumers than forcing them to use a router provided by their IT department. And it's more attractive to the business because that IT router could have cost the business upwards of $600 or more—much more when you factor in man-hours spent on configuration, deployment, and maintenance.

The Purpose-Built, Business-Grade Router

But, while DIY or pre-flashed DD-WRT routers can have benefits for even small businesses, you'd be remiss if you didn't first investigate the VPN routing options available specifically for business and IT customers. All of the routers and VPN services I've mentioned here are primarily aimed at a consumer audience, with spillover into the small business and startup markets. However, more established small businesses and larger organizations will want to investigate routers aimed specifically at them, such as the Linksys LRT224 Dual WAN Gigabit VPN Router.

Boxes like this come with the ability to run multiple VPN technologies simultaneously, and have user interfaces (UIs) designed to let IT managers use them as VPN gateways to allow multiple outside connections for all your telecommuters and roaming workers. They also have a host of other IT features, such as anywhere monitoring and security capabilities like distributed denial of service (DDOS) protection.

Click through the review links of the best VPN routers below for a walk-through of each model's features and specs, as well as performance results. Then feel free to use the comment section below to let us know if you've set up a VPN router yourself.

Bottom Line: The D-Link AC5300 Ultra Wi-Fi Router (DIR-895L/R) is a slick-looking, fully loaded tri-band router that delivers some of the fastest scores we've seen in throughput and file-transfer tests.

Bottom Line: If you frequently game online or stream 4K video, the Asus RT-AC5300 is a tri-band router that delivers speedy 2.4GHz and 5GHz throughput and offers an abundance of management settings, as well as Multi-User Multiple Input, Multiple Output (MU-MIMO) data streaming.

Bottom Line: The Netgear Nighthawk AC2300 (R7000P) is a dual-band router that offers good close-range throughput and a handful of subscription-based network security and parental-control options, but its long-range performance could be better.

Get Our Best Stories!

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.